Smartphone applications have become increasingly important and popular in our daily lives and businesses. In 2013 alone, mobile app downloads surpassed 100 billion globally and the overall app usage grew by 115%. Users are spending an average of 2.5 hours every day on their smartphones, 80% of which is spent inside mobile apps. The popularity of mobile apps on smartphones makes them an attractive channel to collect user demographics, interests and other private information such as location.
There have been numerous studies on how to stop a malicious party (an app or third party within the app) from accessing the information it shouldn't access. Orthogonal to these previous attempts, this disclosure focuses on an emerging privacy threat imposed by a curious party who covertly links and aggregates a user's personal information—across sessions and apps—without his consent or knowledge. In the current smartphone ecosystem, curious parties can be:                Mobile applications. For example, a user follows political news and religious articles using the same news app like CNN or NYTimes. By aggregating both the user's political and religious interests, the app can deliver him personalized news content, such as “The END Of Anti-Gay Religious Rhetoric in Politics.” However, if the user is sensitive about what he reads; he may not want this type of unsolicited correlation across his interests in different subjects.        Advertising agencies. For example, a user downloads two ad-powered apps and exposes his age to the first one and his gender to the second. However, since these apps include the same ad library, the advertising agency can associate both the age and the gender with him and send him targeted advertisements. The user, on the other hand, has no knowledge of this covert aggregation.        Network sniffers. As recently publicized widely in the news media, government agencies such as NSA and GCHQ often conduct public surveillance by sniffing network traffic and aggregating personal information leaked by smartphone apps and ad libraries. A recent study shows that a similar sniffer is able to attribute up to 50% of the mobile traffic to the ‘sniffed’ users, on top of which detailed personal interests, such as political view and sexual orientations, can be extracted.        
The severity and prevalence of this threat is rooted at the lack of unlinkability across each user's app usages in the smartphone ecosystem. By exploiting various levels of consistency provided by device identifiers, software cookies, IPs, local and external storages, an adversary can easily correlate app usages of the same user and aggregate supposed-to-be ‘isolated islands of information’ into a comprehensive user profile, irrespective of the user's choice and (dis)approval.
However, from the user's perspective, only functionally-dependent app usages should be linkable. For example, for GTalk, app usages under the same login should be linkable to provide a consistent messaging service. For Angry Birds, usage of the same app should be linkable to allow the user to resume from where he stopped earlier. In contrast, for most query-like apps, such as Bing and Wikipedia, which neither enforce an explicit login nor require consistent long-term ‘memories’, app usages should be anonymous by default.
Based on these insights, a practical framework is presented that allows users to opt out unregulated aggregation of their app usages by various curious third parties, including but not limited to mobile apps, advertising agencies and network sniffers. This framework is referred to herein as MASK. Specifically, MASK introduces a set of private execution modes which provide different levels of unlinkability across app usages. Upon invocation of each app, a user can apply one of the following modes to the current app session (from the start to termination of the app), according to his functional needs:                Identifiable Mode: in which the user executes this app with an explicit real identity. App sessions sharing the same login are linkable.        Pseudonymous Mode: in which the user depends on persistent storage (consistent local states) for his current activity. App sessions within the same app are linkable.        Anonymous Mode: in which the user executes the current session statelessly, without leaving any persistent trace. App usages are unlinkable by default.        
The app usages collected by a network sniffer and/or an ad agency all come from the mobile apps, either directly or indirectly. By applying the aforementioned execution modes, Mask splits these app usages into unlinkable profiles each associated with an isolated runtime environment regarding various kinds of identifying information. Specifically, Mask creates an isolated runtime environment with stripped personal identifiers, such as account information, anonymized device IDs, such as IMEI number, and isolated persistent storage. App usages that are supposed to be unlinkable are assigned to different runtime environments to ensure their unlinkability. For the identifiable mode, a persistent runtime environment is applied. For the pseudonymous mode, MASK allows the user to maintain multiple context-based runtime environments for use at home, office or during travel, etc., mitigating the influence of quasi-identifiers, such as IP and location. For the anonymous mode, a new runtime environment is applied whenever an app is invoked.
This section provides background information related to the present disclosure which is not necessarily prior art.